Session Initiated Protocol (SIP) is a well-known protocol utilized to set up sessions between endpoints and is described in the Internet Engineering Task Force (IETF) specification RFC 3261 (and all related RFCs and drafts), which are incorporated herein by reference.
Each user (generally a client device) initially registers its network address with a registrar or location server using a registration process. The registrar server (or database) maintains the network address for each user within a particular domain (multiple servers may be utilized). Session initiation begins when a source user transmits an invite request to a proxy server, which in turn, queries a registrar to determine the network address of the intended destination user (this may include the invite request traveling through additional proxies depending on the destination user). During a handshaking signaling process, the network address of the destination user device is determined and forwarded to the source user device. Thereafter, the source user device and destination user device communicate directly in a session using each other's known network address (e.g. IP address).
During the registration process, a user sends a register message to the registrar server that includes its current location information (e.g., IP address). The registrar server (or location server) associates the user (e.g., its user domain name) with the location information. In some embodiments, intermediate servers (e.g., proxy servers) are positioned in the path between the user device and the registrar server. In other embodiments, a registrar server may physically reside at a proxy server and the only difference is logical. When the registrar or location server is physically remote from the proxy server, or when additional network elements are positioned in the path between the user client and registrar, the elements in the path simply forward the registration process messages between the client device and the registrar. These elements are referred to as “in-path” network devices or elements. These in-path devices may include any type of network device, including but not limited to a firewall, SIP firewall, SIP-aware network address translator (NAT) device, session border controller (SBC) device, any other type of back-to-back user agent (B2BUA), and the like.
Because of increased security concerns, networks are becoming more sophisticated, and more and more security devices, such as firewalls, are being utilized in the network. Because SIP is an end-to-end protocol, when SIP signaling from a source endpoint reaches the intended destination endpoint (a session is initiated), SIP specifies that further SIP signaling (occurring during the SIP session) flows directly between the two endpoints. As a result, any in-path security devices, such as a SIP firewalls, are excluded from the further SIP signaling path between the two endpoints.
Accordingly, there is needed a method and apparatus to ensure that in-path network security devices, such as SIP firewalls, remain in the signaling path during the entire communication session between the endpoints.